Data protection is regulated by the following pieces of legislation:

State-level (BiH):

• The Law on the Protection of Personal Data (Official Gazette of BiH, Nos. 49/06, 76/11 and 89/11), this legislation will be replaced by the new DPA eight days after its publication in the Official Gazette.
• The Law on Freedom of Access to Information on the Level of BiH Institutions (Official Gazette of BiH, No. 61/23).
• The Law on Criminal Procedure of BiH (Official Gazette of BiH, Nos. 3/03, 32/03, 36/03, 26/04, 63/04, 13/05, 48/05, 46/06, 29/07, 53/07, 58/08, 12/09, 16/09, 53/09, 93/09, 72/13 and 65/18).
• The Regulation on the Means of Maintaining and the Format of Data Collections (Official Gazette of BiH, No. 52/09).
• The Regulation on Data Storage Methods and Technical Protection Measures for Personal Data (Official Gazette of BiH, No. 67/09).
• The Regulation on Inspections for Personal Data Protection (Official Gazette of BiH, No. 51/09).
• The Regulation on the Procedure for Addressing Complaints Submitted by Data Subjects to the Personal Data Protection Agency (Official Gazette of BiH, No. 51/09).

FBiH specific:

• The Labour Law (Official Gazette of FBiH, Nos. 26/16, 89/18, 23/20, 49/21, 103/21, 44/22 and 39/24).
• The Law on Freedom of Access to Information in FBiH (Official Gazette of FBiH, Nos. 32/01 and 48/11).

RS specific:

• The Labour Law (Official Gazette of RS, Nos. 1/16, 66/18, 91/21, 119/21, 112/23 and 39/24).
• The Law on Freedom of Access to Information (Official Gazette of RS, No. 20/01).
• >The Law on Criminal Procedure of RS (Official Gazette of RS, Nos. 53/12, 91/17, 66/18 and 15/21).

BD specific:

• The Labour Law (Official Gazette of BD, Nos. 34/19, 2/21, 6/21 and 15/22).

The DPA applies to all legal and natural persons, including public authorities, processing personal data across the entire territory of BiH. The only data exempted from the scope of the DPA is personal data processed by natural persons exclusively for personal or household purposes.

The DPA categorises the subjects as follows:

• Data Subject: any identifiable natural person, particularly by reference to a personal identification number or through one or more identifiers specific to their physical, physiological, psychological, economic, cultural or social characteristics.
• Controller: any natural or legal person, public authority, agency or other body which, independently or jointly with others, manages and processes personal data and determines the purpose and method of such processing in line with applicable regulations.
• Processor: any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Recipient: any natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether a third party or not.
• Third Party: any natural or legal person, public authority, agency or other body, other than the data subject, controller, processor, and those authorised to process personal data under the direct authority of the controller or processor.

The territorial scope of the new DPA covers all personal data processing activities conducted by any legal or natural person, including public authorities, with registered seat, residence or temporary residence in BiH, or any other place where BiH’s legislation applies according to international law, regardless of whether the processing itself takes place inside or outside the BiH.

The new DPA applies to legal and natural persons without a registered seat, residence or temporary residence in BiH if they process personal data of data subjects in BiH: (a) when offering goods or services to them; or (b) when monitoring their behaviour within BiH. A data controller without a registered seat in BiH must appoint a representative for processing activities. This requirement does not apply to occasional data processing nor to the processing conducted by the public authorities. Occasional data processing does not include large-scale processing of special categories of data or criminal convictions and offences.

The Agency does not have authority over foreign entities. The Agency has affirmed this position in its decision regarding the misuse of personal data on Facebook, dated 25 January 2012. Thus, the Agency cannot exercise audits over, nor impose fines on foreign legal or natural persons.

Any action performed on personal data is considered personal data processing. This includes both automated data processing activities as well as data processing through manual filing systems.

The DPA specifies that the following actions constitute personal data processing:

• data collection;
• data entry, organisation or storage;
• data modification;
• data consultation or usage;
• data retrieval;
• data transfer, dissemination or access provision by other means;
• data classification or merging; and
• data blocking or deletion.

Any information that allows a natural person to be identified or identifiable is considered personal data protected under the DPA. 

An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as name, personal identification number, or to one or more factors specific to physical, physiological, psychological, economic, cultural or social characteristics of that natural person. 

The DPA provides for special categories of personal data which are subject to stricter processing conditions. The special categories of personal data include the following:

• racial or ethnic origin;
• political opinions or party affiliation;
• trade union membership;
• religious or philosophical beliefs;
• health data;
• genetic data;
• data concerning an individual’s sex life or sexual orientation;
• criminal records and criminal convictions;

To process a special category of personal data, one of the following criteria has to be met:

• The data subject has given explicit consent to the processing of personal data for specified purposes, except where a specific law provides that the data subject’s consent cannot serve as the legal basis. The data subject has given explicit consent to the processing of personal data for specified purposes, except where a specific law provides that the data subject’s consent cannot serve as the legal basis.
• Processing is necessary to carry out the obligations or exercise rights of the controller or the data subject related to employment, social security or social protection, in so far as it is stipulated by the law or a collective bargaining agreement.
• Processing is necessary to protect the vital interests of the data subject or of another natural person if the data subject is physically or legally incapable of giving consent.
• Processing is carried out by a foundation, association, trade union or any other non-profit organisation with a political, philosophical or religious aim in the course of its legitimate activities with appropriate safeguards if the processing relates solely to the members or to former members of the organisation or to persons who have regular contact with the organisation and that the data is not disclosed outside that organisation without the consent of the data subjects.
• Processing relates to personal data that has been clearly and publicly disclosed by the data subject.
• Processing is carried out by a court acting in a judicial capacity or is necessary for the establishment, exercise, or defence of legal claims.
• Processing is necessary for reasons of substantial public interest, based on law that is proportionate to the aim pursued, respects the essence of data protection, and provides suitable and specific measures to safeguard the data subject’s rights.
• Processing is necessary for preventive or occupational medicine, assessing an employee’s working capacity, medical diagnosis, providing health or social care or managing health or social care systems, based on law or an agreement with a health professional. Processing must be conducted or monitored by a professional bound by professional secrecy.
• Processing is necessary for the purposes related to public health, such as protecting against serious cross-border threats or ensuring high standards of healthcare and medicinal products, based on the law which provides for suitable measures of data protection.
• Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which should be proportionate to the aim pursued, respect the substance of data protection and provide for suitable data protection measures.

The new DPA stipulates that one of the following conditions has to be fulfilled to process personal data in line with the DPA: 

• the data subject has given consent to the processing of personal data for specified purposes;
• processing is necessary for the execution of a contract to which the data subject is party or for conducting actions at the request of the data subject prior to entering into a contract;
• processing is necessary for the controller to comply with a legal obligation;
• processing is necessary to protect the vital interests of the data subject or of another natural person;
• processing is necessary to perform a task carried out in the public interest or to exercise the official authority vested in the controller;
• processing is necessary to fulfil the legitimate interests of the controller or a third party, except where such interests are overridden by the interests of protecting the data subject’s personal data.

As with the GDPR, the DPA stipulates special requirements for minors’ consent for data processing related to IT services, requiring parental/custodial approval for validity of consent given by a minor under 16.

The data subject can revoke the consent at any time, unless otherwise agreed upon with the data controller.

Local legislation does not mandate a specific form for consent. However, obtaining written consent is advisable for all categories of personal data as the DPA stipulates that the controller is required to prove that the data subject has granted consent for data processing.

Processing has to be based on one of the six legal bases under the DPA. Controllers have to ensure that processing is fair and transparent, meaning data subjects must be informed about how their data is used through a clear and accessible privacy notice.

Personal data must be collected for specified, explicit and legitimate purposes and cannot be further processed in a manner incompatible with those purposes unless a valid legal basis applies.

Controllers should avoid collecting excessive personal data and ensure that only the necessary amount of data is collected and processed.

Controllers must ensure that personal data is accurate, complete and up-to-date, by taking reasonable steps to correct or delete inaccurate or outdated data without delay.

Personal data cannot be kept for longer than necessary for the purpose for which it was collected. Controllers should define data retention policies and securely delete or anonymise data when it is no longer needed. Personal data can be kept for a longer period of time if it will be processed solely for archiving purposes in the public interest or for the purpose of scientific or historical research or for statistical purposes.

Both the controller and the processor must take appropriate technical and organisational measures to prevent unauthorised data access, alteration, transfer or loss, as well as data misuse or destruction. Such measures include encryption, access controls, pseudonymisation, and regular security assessments.

In the case of a personal data breach, the controller or the processor must notify the Agency within 72 hours if there is a risk to individuals’ rights and freedoms. The controller or the processor should also inform the affected data subject without further delay.

A Data Protection Impact Assessment (DPIA) is required under the new DPA when data processing is likely to result in a high risk to data subjects’ rights. This includes large-scale surveillance, systematic monitoring or processing of sensitive personal data. A DPIA must assess the necessity, proportionality and risks of the processing and identify measures to mitigate those risks. If the assessment indicates a high, unmitigated risk, the controller must consult the Agency before proceeding.

Appointing a Data Protection Officer (DPO) is mandatory if a controller or a processor engages in large-scale systematic monitoring or processes sensitive personal data as part of its core activities. The DPO must have expert knowledge of data protection law and act independently, ensuring compliance, advising on DPIAs, and serving as the contact point for both data subjects and the Agency. While the DPO does not bear personal liability for non-compliance, they must be involved in all data protection matters and provide the necessary resources to fulfil their role effectively. The DPO can be either the employee of a controller or a processor or act based on the services agreement.

The new DPA imposes an obligation on controllers and processors to maintain internal Records of Processing Activities. Small entities who employ fewer than 250 employees are exempt from this obligation, unless their processing:

• is not occasional;
• includes special categories of data or data on criminal convictions; or
• poses a risk to data subjects’ rights.

Video surveillance can be implemented only for the purpose of protecting property and individuals’ security, provided that such interests do not override individuals’ rights. In the case of video surveillance, the controller or the processor must display information about the surveillance system and provide contact details for obtaining further information about the surveillance activities in a prominent location. If the video surveillance is not mandated by the law, the controller is required to adopt the decision regulating rules of processing to protect individuals’ privacy.

The controller is required to inform the data subject of the following matters:

• identity and contact details of the controller;
• contact details of the DPO;
• purposes of the processing for which the personal data is collected;
• legal basis for the processing;
• legitimate interests pursued by the controller or a third party if processing is based on legitimate interests;
• recipients or categories of recipients of the personal data, if any;
• intention to transfer personal data to a third country or international organisation, and if so, details of the appropriate safeguards;
• data retention period;
• data subject rights;
• right to withdraw consent at any time;
• right to lodge a complaint with an Agency;
• whether providing data is a statutory or contractual requirement and the consequences of failing to provide the data; and
• existence of automated decision-making, including profiling.

The data subject has the right to be informed about the processing of their personal data. This right corresponds with the controller’s duty to inform the data subject before data processing (listed above, Question 8).

If personal data is not collected from the data subject, the controller must also inform the data subject of the source of the data. 

The data subject has the right to receive confirmation as to whether or not their personal data is being processed. The confirmation should include the following information: 

• purposes of the processing;
• categories of personal data being processed;
• recipients or categories of recipients to whom the personal data has been or will be disclosed;
• intended data retention period;
• rights of a data subject;
• right to lodge a complaint with an Agency;
• source of the data, if it was not collected directly from the data subject;
• existence of automated decision-making; and
• if data is transferred to a third country or international organisation, the data subject must be informed about the appropriate safeguards.

Data subjects can request corrections to inaccurate or incomplete data.

A data subject has the right to request erasure of their personal data without undue delay if one of the following grounds applies:

• personal data is no longer necessary for the purposes for which it was collected or processed;
• the data subject withdraws consent;
• the data subject objects to processing and there are no overriding legitimate grounds for processing;
• the data subject objects to processing for direct marketing purposes;
• personal data has been unlawfully processed;
• personal data must be erased to comply with controller’s legal obligation; or
• personal data has been collected in relation to offering IT services to a child.

Data subjects can request that processing be limited or restricted, in the following situations:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
• the controller no longer needs the personal data for the purposes of the processing, but the data subject requires the data for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing and the procedure for the verification of whether the legitimate grounds of the controller override those of the data subject is pending.

Data subjects can request their data in a structured, commonly used and machine-readable format and transmit it to another controller in case of a contract or consent-based processing or the processing that is carried out by automated means.

Data subjects have the right to object to the processing of their personal data if processing is based on legitimate interest of the controller or the public interest. Furthermore, the data subject has the right to object to the processing of personal data for direct marketing purposes. If the data subject objects to direct marketing, the processing must cease immediately. If the objection is based on legitimate interests of a controller or public interest, the controller can continue processing only if they can demonstrate compelling legitimate grounds that override the data subject’s rights. The data subject must be informed of their right to object at the time of data collection.

If the data subject suffers any material or non-material damage as a result of a privacy violation by the controller or processor, the controller is liable for providing compensation. The data subject has to prove the controller’s liability for material or non-material damage caused by the misuse of personal data. However, the controller can avoid liability if they demonstrate that it is not responsible for the damage.

The new DPA aligns the national legal framework with the ePrivacy Directive and GDPR. 

As per the new DPA, controllers have the right to process personal data for direct marketing purposes based on legitimate interests, in which case the data subject can object to such processing at any time. If a data subject objects, the controller must immediately stop processing their data for direct marketing.

No later than the first contact with the data subject, they must be explicitly informed of their right to object. This information must be presented clearly and separately from any other content.

The general rule is that the transfer of personal data outside BiH is permitted only if the recipient country provides an adequate level of data protection. The new DPA stipulates that the Council of Ministers of BiH is responsible for deciding the adequacy of the level of data protection on the Agency’s proposal. The list of countries or territories that do not provide an adequate level of data protection should be published in the Official Gazette of BiH. A data controller or processor can transfer personal data to a listed country or territory only if they ensure adequate safeguards are in place and the data subject is granted enforceable rights and effective judicial protection. An adequate level of data protection can be ensured by using standard contractual clauses approved by the Agency, binding corporate rules or explicit contractual commitments imposed between controllers or processors.

In exceptional cases, the GDPR permits data transfers to countries without an adequacy decision, even in the absence of appropriate safeguards. Such transfers are permitted if the data subject has explicitly consented, provided they have been informed of the risks. Other permissible grounds include situations where the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures requested by the data subject. Additionally, transfers can occur when necessary for important public interest reasons, the establishment, exercise or defence of legal claims or to protect the vital interests of the data subject or another person when they are unable to give consent.

The Agency, as the state level regulator, has the following authorities:

• supervising the application of the DPA;
• raising awareness of the importance of personal data protection;
• advising public authorities on the protection of personal data;
• raising controllers’ and processors’ awareness of their obligations under the DPA;
• providing information on the exercise of the data subjects’ rights, at their request;
• deciding on complaints filed by organisations for the protection of personal data;
• monitoring and tracking the field of personal data protection;
• adopting standard contractual clauses;
• maintaining a list of processing related to the obligation to perform a DPIA;
• advising on the personal data processing;
• encouraging the adoption of codes of conduct and approving such codes;
• encouraging the establishment of data protection certification mechanisms and approving certification criteria;
• approving adequate data protection measures for the transfer of data to third countries;
• approving Binding Corporate Rules; and
• maintaining the records of DPA breaches and the measures taken.

Local legislation provides the following sanctions and remedies for unlawful data processing:

• administrative measures and administrative fines;
• compensation for damages caused by infringement of the right to privacy; and
• criminal penalties.

When the Agency identifies non-compliance with the DPA, it is authorised to impose administrative measures, including the cessation of unlawful processing. The affected controller must promptly implement the imposed measures and notify the Agency of the actions taken within 15 days. The Agency can also impose fines to controllers and processors, ranging from BAM 10,000 to BAM 70,000 (approx. EUR 5,000 to EUR 35,000), for breaches of the DPA.

Unauthorised use of personal data is a criminal offence under the Criminal Code of BiH, punishable by up to six months’ imprisonment. Both legal and natural persons can be held liable for this offence.